for privacy use passcode

6 tips for mobile device security & privacy

If you have a mobile device, you realize how powerful it can be.  The more you rely on these devices the more you need to be aware of protecting your data on them.  Here are 6 quick tips to protect you mobile device:

1. Separate phone / SIM card – A separate phone / SIM card helps you keep your privacy on personal matters.  Use a separate phone or SIM for work, home or for your personal business.  Keeping it separate helps keep all transactions on a specific device.

 2.  Mobile device security code – creating a phone security code prevent anyone from spying your phone by just picking it up and tapping a button.

for privacy use passcode

use cell phone privacy lock screen-pin

 3 . Delete history – You mobile device saves and tracks all transactions by default.  So if someone got access to the it, they could see everyone you contacted back to the first day you activated the device.  Deleting phone calls and messages remedy that some what.

 4. Keypad lock – You must have your keypad automatically lock after  a short period of inactivity just in case you set your device down and forget to lock it manually.  The shorter the time you set (ex:5 seconds) the better.

 5. SIM card code – for confidential contacts, setting a code into your SIM card is a must.

 6. No automatic email log in – do not set your emails into automatic log-in so people cannot trace your personal info by merely picking up your phone.

Mobile devices with links in to social media, personal email accounts, contacts, and transactions can give someone immediate access into all aspects of your personal life.  Its important you implement some or all of these tips if you want to maintain some of your privacy.

diarmf risk management of information security

diacap to diarmf: manage information security risk

Risk Management Framework is implemented throughout an organization.

NIST 800-39, Manage Information Security Risk, describes how to implement risk within t three layers (or tiers) of of an organization:

Tier 1: Organization level
Tier 2: Mission/Business Process level
Tier 3: Information System level

diarmf risk management of information security

Tier 1: Organization Level risk management
Tier one addresses security from the organizations perspective. The activities include the implementation of the first component of risk management, risk framing. Risk framing provides context of all the risk activities within an organization, which affects the risk activities of tier 1 & 2. The output of risk framing is Risk Management Strategy. In tier 1 the organization establishes and implements governance structure that are in compliance with laws, regulations and policies. Tier 1 activities include establishment of the Risk Executive Function, establishment of the risk management strategy and determination of the risk tolerance.

Tier 2: Mission/Business Process Level risk management

Tier 2 risk management activities include: 1) defining the mission/business processes to support the organization. 2) Prioritize the mission/business process with respect to the long term goals of the organization. 3) Define the type of information needed to successfully execute the mission/business processes, criticality/sensitivity of the information and the information flows both internal and external of the information.

Having a risk-aware process is an important part of tier 2. To be risk-aware senior leaders/executives need to know: 1) types of threat sources and threat events that could have an adverse affect the ability of the organizations 2) the potential adverse impacts on the organizational operations and assets, individuals, the Nation if confidentiality, integrity, availability is compromised 3) the organization�s resilience to such an attack that can be achieved with a given mission/business process

Tier 3: Information System risk management

From the information system perspective, tier 3 addresses the following tasks:
1) Categorization of the information system
2) Allocating the organizational security control
3) Selection, implementation, assessment, authorization, and ongoing

Chapter 3 focuses on the step to have a comprehensive risk management program. The tasks discussed include:
Risk Framing
Risk Assessing
Risk Response
Risk Monitoring

 

For more information go to: http://elamb.org/training-certification800-39-manage-information-security-risks/

 

gmail security

gmail security

gmail security

Gmail is one of my favorite email products.  Its free, its extremely good at collecting and organizing data (in-line with google’s vision of world information organization domination) and its so intuitive.

The gmail security features are kind of tucked away to bring the organization and search functions to the foreground.  But once you know where they are, its easy.

1. First, browse into your email and sign in.

 

2. Inside your email under your name, click privacy.

3. Under Account Privacy, hit Security and add alternate recovery email and mobile number.   This will allow gmail security to alert you of any suspicious activity such as someone attempting to access your account.

gmail security

gmail security

diacap diarmf

diacap to diarmf: intro

DIACAP to DIARMF: Intro

diacap diarmf

image of diacap to rmf

DoD Chief Information Officer (formerly Assistant Security Defense), in collaboration with the Department of the Navy CIO, has developed a DoDI 8500.2 to NIST SP 800-53 IA control mapping (2010). More DIACAP Knowledge Service.

DIACAP Knowledge Service

On the DIACAP Knowledge Service goto “C&A Transformation”. This page introduces some of the coming changes from Certification & Accreditation changes to the Risk Management Framework seen in NIST SP 800-37.

DIACAP has “Risk Management Framework Transformation Initiative” underway that provides information on use of NIST SP 800-53, NIST SP 800-37, CNSS Instruction 1253.

The site introduces changes being made to DoDD 8500.01, DoDI 8500.2, DoDI 8510.01 and other documents that will be aligned with NIST 800 and FISMA 2013. They will feature an attempt to keep up with new arising cyberthreats, vulnerabilites and security incidence using real-time, “continuous monitoring” technologies such as HP ArcSight, McAfee ESM, ePO, NSP, Retina, Nessuss and other near real-time active monitoring systems.

diacap to diarmf

road to diarmf

Why DIACAP to DIARMF?

Federal government has gotten more serious about security.  They realize that enterprise level security and process is a continuous and expensive business.  The old certification & accreditation process is not only long and expensive but so slow that it cannot keep up with the constant changes of information technology.

Risk based/cost effective security means creating security systems and policies that focus on “adequate security”.  The Executive Branch Office of Management and Budget (OMB) defines as adequate security, or security commensurate with risk, to include the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.  The feds are also attempting to make the process of implementing and evaluating security controls by creating as much paper-less automation as possible.

note IMHO: Since technology is changing at a rate of what Ray Kurzweil calls “accelerating returns” I think for governments and organizations stuck in “static policy” based systems there is no way they can ever keep up with information technology without revolutionary shift in thinking.  Google is probably the closest to understanding what is actually happening.  The best any of us can do is observe.

 Source documents for all U.S. Federal information security:

OMB A-130 – Management of Federal Information Resources

FISMA – Federal Information Security Management Act of 2002

Federal Information Security Management Act of 2002 (FISMA, 44 U.S.C. § 3541) enacted as Title III of the E-Government Act of 2002 (Public Law 107-347)

Required for all government agencies  to develop, document, and implement an agency-wide information security program to provide information security for the information and systems that support the operations and assets of the agency Applies to contractors and other sources.

The federal government has created various acts/laws to implement to changes to the C&A process to a more risk management approach and emphasize a risk-based policy for cost-effective security. These acts include (but are not limited to):

  •  Federal Information Security Management Act of 2002 (amended as of 2013 April)
  • The Paperwork Reduction Act of 1995
  • The Information Technology Management Reform Act of 1996 (Clinger-Cohen Act) supported by Office of Management and Budget (OMB) through Circular A-130, Appendix III, Security of Federal Automated Information Resources

 

who-created-manages-nist-800

Who Created/Manages NIST 800?

Who Creates and/or Manages the NIST 800?

This NIST 800 is a well thought out set of federal security standards that DoD and the Intel world is moving too.  It aligns with International Organization for Standardization (ISO) and International Electotechnical Commissions (IEC) 27001:2005,  Information Security Management System (ISMS).

who-created-manages-nist-800

who-created-manages-nist-800

NIST 800 is updated and revised by the following organizations:
Joint Task Force Transformation Initiative Interagency  (JTFTI) Working Group National Institute of Standards and Technology (NIST)
JTFTI is made up of from the Civil, Defense, and Intelligence Communities.  This working group reviews and updates the following documents

  •      NIST Special Publication 800-37, Revision 1 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
  •     NIST Special Publication 800-39, Enterprise-Wide Risk Management: Organization, Mission, and Information Systems View
  •     NIST Special Publication 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations
  •     NIST Special Publication 800-53A, Revision 1 Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans

These core documents are a standard on how to implement FISMA. The organization has done a good job of keeping NIST 800 inline with international standards of ISO 27001.  The JTFTI is made up of ODNI, DoD, CNSS.  This document is also publicly vetted.

Office of the Director of National Intelligence (ODNI)
The DNI is a position required by Intelligence Reform and Terrorism Prevention Act of 2004.  This office serves as adviser to the president, Homeland Security and National Security Counsil as well and director of National Intelligence.

Department of Defense (DoD)
DoD is composed of (but not limited to) the USAF, US Army, DON and Marines.  It is the most powerful military organization in recorded history.

Committee on National Security Systems (CNSS)
This committee was created to satisfy National Security Directive 42, “National Policy for the Security of National Security Telecommunications and Information Systems“,
the group has represtatives from NSA, CIA, FBI, DOD, DOJ, DIA and is focused on protecting the US crititcal infrastructure.

Sources: http://en.wikipedia.org/wiki/Committee_on_National_Security_Systems

Public (review and vetting) – the draft is posted online on NIST.gov

http://csrc.nist.gov/publications/PubsDrafts.html

 

sources:

FISMA JTFI

http://www.fismapedia.org/index.php?title=Joint_Task_Force_Transformation_Initiative

Scadahacker – mappings NIST to International

http://scadahacker.com/library/Documents/Standards/mappings/Mapping%20NIST%20800-53.pdf

 

reset-password

Windows Password Recovery: ONTPRE

Offline NT Password & Registry Editor (ONTP&RE)

Did you lock yourself out of your Windows system?  Forgot your Windows password?  What is the best Windows password recovery?

The best way is to have a Windows Recovery disc ready.  But this is something you must do BEFORE you get locked out.

reset-password

reset-password

There are tools you can use to get into your system, but the first think you should try is to use “Administrator” as the user with no password.  “Administrator” is a default account on Windows systems.  On Windows 7 it is disabled by default but if someone has used the account you may be able to use it as backdoor into the system.

If their is not Administrator account and no Windows Recovery disc you will have to use a Windows password recovery tool.  ONTP&RE is a password recovery tool that allows quick access to windows systems.

Reset Password : Windows 7

1.  Download ONTP&E: First, download the Windows password recovery software from pogostick.net . pogostick.net/~pnh/ntpasswd/cd110511.zip

2.  Unzip ONTP&E:  Files are compressed into 1 folder named ( cd110511.zip).  Unzip the file.

3.  Create CD with ISO:  Set the cd disc creator into ‘image to  disc’’. Burn the image to the cd.  Each CD burner software is different, so you will have to figure out how to create a CD from the ISO.  Sometimes its as easy as double clicking the ISO but it depends on the type of software.

4.  Reboot & Insert:  Actually, you need to make sure your Windows system is able to boot from the CD.  Once its done , insert the cd back to the CD ROM  and reboot your computer.

5.   Computer Boot from CD:  As your computer reboots, keep hitting F2 to go through the BIOS.  Select “Boot Options”.  Some versions of BIOS call this “Boot”.  But the idea is the same.  Go into the BIOS and make sure CDROM is on the top of the list for boot options.  This means that the computer first looks at the CD before going to the Hard Drive.  Instructions on modifying BIOS settings will be listed on the page.

6.  Boot into ONTRE:  Once the BIOS boot option is set, save and exit.  Your system will boot into your ONTRE disc.  Software will start running. Just follow the steps.  “Press enter” to boot into the “Offline NT Password & Registry Editor” CD.

windows password recovery

screen shot of Offline NT Password & Registry Editor

7.  Select an Account:  It will ask you to select an account.  If you hit “Enter” it will automatically boot into the [Administrator] account.

*note: Anything in [brackets] is the default value, so if you hit “Enter” it will auto-magically choose that [bracket] value.. its a linux thing.. you wouldn’t understand.

If you choose the “Administrator” account, you may need to Enable the account since the built-in Administrator account is  disabled by default in certain versions of Windows.

8.  Enable Built-in Administrator Account:  The Windows account  needs to be enabled.  Select 4  and enter ‘to Unlock and enable user Account’.

windows ontpre menu enable

windows ontpre menu

9.  Clear (blank) User Password:  After selecting 4-Unlock and Enable user account, you will be sent back to the User Edit Menu. If you want to clear the Administrator password (if it has one) then hit enter or type Administrator and Select 1 and “Enter” – to clear the user password.

10.  Save Changes:  Once you have made all the changes you want (enabled the Administrator account & cleared any passwords), you are ready for the next step.  Hit  ‘!’ and enter.

Windows Password save changes

Windows ONTP&RE password save change

On the screen it asks ‘What to do’?  hit q to quit. You will see:

Step FOUR:  Writing back changes

“About to write file(s) back.  Do it ?’’

Hit   Y  and enter to save changes.

11.  Last Step:  Hit “Ctrl-Alt-Del” to reboot and eject the cd quickly.  This will allow the system to boot into Windows on the Hard drive.

You can now login as “Administrator” with NO password.

Once you are in as Administrator you can change passwords of any local accounts in Control Panel | Users.

snowden-manning-heros

Snowden-Manning Heros?

DISCLAIMER: I have no first hand knowledge of the NSA PRISM program.  This is just my personal opinion of Edward Swowden’s release of classified information and the impacts.

What is PRISM:

PRISM is the code name for the data collection program which was born out of the Protect America Act.

Recently Mr. Edward Snowden released classified information to the international media and fled the U.S.  He was working on the PRISM program and felt that the right thing to do was to tell U.S. citizens about their loss of privacy.

 snowden-manning-heros

snowden-manning-heros

SHH!! Don’t tell anybody this.. but privacy has BEEN gone if you are on Facebook, Google or any other social network.  These organization are storing our private data.  But what do these organizations do with that data?

  • Do they try to protect your data?
  • Do they sometime release it to third parties?
  • Can certain data you store on their system be used against you in a court of law?
  • All of the Above 🙂

Encrypt your data.  That is the only real way to have privacy to a trusted party.   Don’t use FB or Google for stuff you want hidden.

The Need for Some Sort of PRISM:

Spies get a very very bad rap lately.  Analysts are unsung heros.   It that world nothing is what it seems.  The media presents one side of everything.  You have to dig and cross reference to get facts.  Intelligence provides a proactive answer to security.  I am speaking from the perspective of someone who has done security defensively.  There is a need for gathering data within the U.S. infrastructure.  Once data is gathered, it can be correlated to detect patterns of potential threats.

So I think we MUST have something like PRISM (especially in the US) due to the exposure of our assets and the subsequent likelihood of attack. We have a high risk.  And the greatest risk is from INSIDERS (ironically enough PRISM cannot protect itself).

There are three main issues with the programs current setup:

1.  Lack of Oversight & Transparency: There seems to be very little transparency and  oversight that represents US citizens regarding privacy and controlling how far the government can go.  US Senators are led away from what is really going on.

2.  Total Information Awareness:  This system may be too DAMN powerful as far as what it is capable of.  In fact, it seems to be like using GOD Mode 24/7 to gather information.  Snowden mentioned that it can track ANY email.. is this on a whim?  does there need to be some sort of probable cause or “reason to believe” or is this left to the discretion of the guy with his finger on the button.. this leads to the next issue..

3. The Patriot Act II + Protect America Act =  Its too DAMN politically powerful.  This program has the legal backing to do anything with NO checks and balances.

Is SNOWDEN A HERO?

Would I call Snowden/Manning heros/martyrs?  I would not group Snowden with Manning.  The information that Snowden released (so far) is showing a the capability of NSA spying (something that was done by whistle blower William Binney in 2002).  PVT First Class Bradley Manning leaked a lot of war material that risked a lot of people’s lives:

videos of the July 12, 2007 Baghdad airstrike and the 2009 Granai airstrike in Afghanistan; 250,000 United States diplomatic cables; and 500,000 army reports that came to be known as the Iraq War logs and Afghan War logs. It was the largest set of restricted documents ever leaked to the public. — http://en.wikipedia.org/wiki/Bradley_Manning

The problem with this is that it actually endangered the lives of informants, and some people that were on the ground in Afghan/Iraq.  Manning fucked up big time.  Snowden is a hacktivist who will have to spend sometime in prison or in Iceland evading the US government unless the American public rallies to sway the politicians.

Whistleblower Protection:

My hope is that there is due care taken on this issue.  Because there is a real concern regarding the Constitution, Privacy and uncheck powers of the government.  If not, perhaps the next administration will take up the call of the people.  SarbanesOxley Act of 2002 has a Whistleblower Protection Act that would be helpful if such a law could apply to Snowden.  I am not so sure about that.

Transparency & Accountability

I know their needs to be transparency and accountability. But I think its naive to think that we should release all information on all classified data to the world as the Wikileaks crowd believes.  

Why?

Organizations & States have an obligation to maintain Confidentiality of critical data.

That means databases with witness protection programs must be kept Confidential, bank transactions must be protected..

Nations have some serious enemies (ESPECIALLY the US).  The US governments duty is to protect its people from those enemies (foreign or domestic).

Consider this:  Certain information on the physical/logical locations of weapons systems, pattens on lethal biochemicals, information on the capabilities of a nation are very effective tools in the hands of really bad people.

Its naive to think that opening up all classified data is going to set the world free.  I wish humanity was in a kinder, gentler situation.. but the reality is some crazy people want to kill as many people as possible.

Yes!  I agree that governments with unrestricted power can be MUCH more dangerous.  Some transparency with check and balances are necessary.

 

WAR OF INFORMATION

The post modern war conflict is a fight over ideology. Its less about my nation versus your nation and more and more about belief systems.  

RIGHT NOW there is someone with the intent to kill as many people as possible.  With the capability and opportunity they would strike.  There IS an enemy and they are anywhere and everywhere.  You can no longer point at a map and say “All these people are my enemy.”

Now there is an enemy willing to kill you over what you believe, what you represent and what they think you are.  And more than likely, THEY are living in your city.   Who are “THEY”?

Figuring out who THEY are.. is where data mining and correlation comes in.

The threat-source can be from ANY country, race, creed, or religious faction. They are more and more likely to have a citizenship in your country for the sake of having free reign to make the most damage on the most people that represent what they seek to destroy.

Its sounds crazy until a bomb goes off in the middle of a Boston Marathon with the attackers on their way to Time Square.  Luckily, there was surveillance to help deter further killings.

How do we fight against these threats?
Threats can be detected via patterns within information.

Solution:  The government should allow the program manager of the system to explain why its necessary, provide proof of its usefulness.  Limit the use and extent of PRISMs power.

I hope the president will listen to the Internet community on this.  I hope that some political party will hear the cries of thousands of potential constituents then take an intelligent look at the public’s concerns.  Realistically, the American public voted on the reps that backed the laws that created this system.  They accepted it by proxy.  But the shock is from the alleged reach of this program.  Its too bad it took Snowden is risking years away from home and possibly prison for the US to wake up and start talking about something that was leaked years ago.

ia awareness training

Information Assurance Awareness Training


NIST Special Publication 800-50, is a regulation dedicated to IA Awareness Training



NIST SP 800-5, Building an Information Technology Security Awareness & Training Program


The 800-50 includes guidance on development and sustainment of an awareness & training IT Security (aka information assurance training) program for all users, employees and supervisors within an organization. Having a training program is mandated by the Federal Information Security Act of 2002.

IA Awareness Training – Roles & Responsibilities

Agency heads – must ensure that high priority is given to effective security awareness and training for employees. Appoint a CIO
CIO Establish overall strategy, funding, tracking and report is in place for the IT security awareness and training program
IT Security Program Manager tactical deployment, development and maintenance of the IT security & awareness program.
Managers responsible for complying with IT security awareness program. Work with CIO and IT Security Program Managers to share responsibility. Ensure all users are trained to fulfill their security roles before access is giving. Promote professional development and certification of the IT staff.
Users largest audience in any organization and are the single most important group of people who can help to reduce unintentional errors.


800-50 calls learning a continuum. The continuum of learning starts awareness and builds into education.
Awareness awareness is not training. Awareness focuses on security concerns to ensure users are mindful of basic rules and issues in a given environment.


Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. – 800-50

Training is a formal focused method to develop a skill for job performance.
Training strives to produce relevant and needed security skills and competencies 800-50


Education combines multidisciplinary areas into a common body of knowledge.



Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge . . . and strives to produce IT security specialists and professionals capable of vision and pro-active response. –800-50

Social Security Death Records

Social Security Death Records
Looking for accurate social security death records and finding the accurate resources is not an easy task. There are many reasons behind the collection of these records that may differ from person to person. Sometimes the free information provided may not be accurate because records are not updated every time. One must have a clear understanding of social security death records and the various resources or index available for such information.

What is Social Security Death Records? Social Security death Records consist of information on a deceased person. This includes first and last name, date of birth, date of death, residential status and last known address. These records provide an overview for different surveys and meeting the personal requirements.

Why people want social Security Death Records? The reason behind searching these records differ from one person to another. Some people might need it for their personal reference to find their ancestor’s history or to find their lost friend. Another use of death records is for commercial purpose by different companies. These companies require these records for various surveys to find the accurate death rates. Some companies also keep this information with them to further provide it to different private and public sectors. Other purposes of maintaining these records is to prevent fraud so that no one can misuse the identity of a deceased person. This helps in decreasing criminal activities.

Which resources should concern people? There are millions of resources providing Social security death records. Here are few reliable resources to get information related to death records in the form of death index:
• Social Security Death Index- This is very reliable resource of US citizens that holds around 74 million records. This record provides with records of those person died after 1962. The death certificate issued includes a social security number for accurate identification. This allows one to indicate date of birth, place of birth and proper names of their ancestors. One can find this index over internet on searching on sites like Ancestry.com to know the exact family history.
• Free Ancestry Search- Many companies are providing free online search for death records with a great sense of accuracy. One can search of Familylink.com for free search and obtaining better results.
• Death Records Search- One can take the help of online databases through links such as Death-records.net for valuable information. What one has to do is search according to the location and number provided.
• AllvitalRecords.com- One can search on the following link by just entering the name of their ancestor. To obtain a healthy search try to make it location wise, this will help to get accurate results.

Unfortunately Social Security Records are often used in identity theft and fraud.

google’s Safe Browsing Alerts

The all seeing eye of Google is upon Safe browsing and and alerts for your network. I think this is proof that Google is not “evil” as some say. Some believe that Google is “evil” just because they want to organize all of the worlds data. To this I say, “stop, hatin’!”

Google has taken steps toward protecting is users from malware and phishing attacks by alerting webmasters of malicious content and bad URLs.

Now Google offers a service for Network Administartors that allows system owners to receive early notifications for malicious content on their network. Its called “Google Safe Browsing Alerts“. As an example of how powerful this can be, imagine an Internet Service Provider have such a service.

I can already hear the “nayers of google” crying, “what about the privacy of the networks and your users?” To this I say, “SHUT THE HELL UP!” Google loves you. Google died for your sins. Repent, for the kingdom of Google is at hand.
http://safebrowsingalerts.googlelabs.com/

That is all.

http://googleonlinesecurity.blogspot.com/2010/09/safe-browsing-alerts-for-network.html

1 2 3 6